ShapeBlue Security Advisory – DNSMasq Vulnerabilities

Overview

As you have likely heard, a number of security flaws were recently found in the DNSMasq tool. This tool is used by many systems to provide DNS and DHCP services, including by the CloudStack System VMs.

According to Google’s investigation into the software, out of seven issues, three — CVE-2017-14491, CVE-2017-14492, and CVE-2017-14493 — are remote code execution flaws caused by heap buffer overflow and stack buffer overflow errors through DHCP and DNS vectors.

Another issue, CVE-2017-14494, can be exploited to bypass the Address space layout randomization (ASLR) memory protection function, leading to information leaks.

Affect On CloudStack

CloudStack’s System VMs use DNSMasq to provide DNS and DHCP services to the guest VMs from the virtual routers. These services are only exposed on the internal guest interface(s) of the virtual routers. Therefore a malicious user could compromise a virtual router to which they have a guest instance attached.

The Fix

On 9th October, an updated version of DNSMasq was released by the authors of DNSMasq for the Debian Wheezy Operating System which the CloudStack System VMs use. We have created new versions of the System VM templates which should be used to replace your existing System VMs using the procedure described below.

A short-term fix for currently running System VMs (if they have internet access) is to log into the System VMs and run:

The above procedure will patch existing virtual routers, but should a virtual router be destroyed and recreated or a new virtual router created, the subsequent virtual router will no longer be patched.

The full fix is to replace the existing System VM template(s) with the latest patched versions as well as recreating or patch existing virtual routers.

System VM Patching Procedure

ShapeBlue has built new System VM templates with updated DNSMasq for major CloudStack versions for XenServer, VMware and KVM hypervisors. We advise CloudStack users to upgrade to the appropriate System VM template and either

Patch all existing virtual routers using the procedure above
or

Recreate all virtual routers using the procedure detailed in the link for updating system VM templates (below)